b' Department of Health and Human Services\n                    OFFICE OF\n               INSPECTOR GENERAL\n\n\n\n\nQUALITY SOFTWARE SERVICES, INC.,\nHAD NOT IMPLEMENTED UNIVERSAL\n  SERIAL BUS DEVICE AND PORT\n           CONTROLS\n\n   Inquiries about this report may be addressed to the Office of Public Affairs at\n                            Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                       Kay L. Daly\n                                                Assistant Inspector General\n\n                                                         June 2013\n                                                       A-04-12-05045\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\n The Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\n The Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\n The Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\n The Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at https://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                      EXECUTIVE SUMMARY\n\nQuality Software Services, Inc., did not sufficiently implement CMS-required information\nsystem security controls over USB ports and devices, thus risking exposure of personally\nidentifiable information for over 6 million Medicare beneficiaries.\n\n\n\nWHY WE DID THIS REVIEW\n\nUniversal Serial Bus devices (USB devices) have become common in the workplace. Many\nindividuals have several USB devices, such as jump drives and smart phones, for use with both\ntheir personal and professional computers. Because USB devices connect directly into\ncomputers and can store large amounts of data, they can potentially cause serious harm to\ncomputers and networks or compromise sensitive data if their use is not properly controlled. In\nan attempt to limit the risk to personally identifiable information (PII) for Medicare beneficiaries,\nwe assessed the USB device controls at Quality Software Services, Inc. (QSSI), the contractor\nresponsible for testing changes to the Centers for Medicare & Medicaid Services (CMS)\nMedicare systems and the effect of those changes on beneficiary data.\n\nThe objective of our audit was to determine whether QSSI had sufficiently implemented Federal\nrequirements for information system security controls over USB ports and devices.\n\nBACKGROUND\n\nQSSI is a testing contractor for CMS that provides independent testing services for changes to\nMedicare Part A and B \xe2\x80\x9cFee-for-Service\xe2\x80\x9d standard systems. Its test systems maintain data on\nover 6 million Medicare beneficiaries for testing purposes. QSSI provides related hardware,\nsoftware, and connectivity required to host test environments and test software changes to the\nCMS Common Working File, Multi-Carrier System, Fiscal Intermediary Standard System, the\nHealthcare Integrated General Ledger Accounting System, and the Viable Information\nProcessing System Medicare System.\n\nWHAT WE FOUND\n\nQSSI had not sufficiently implemented Federal requirements for information system security\ncontrols over USB ports and devices. Specifically, QSSI had not: (1) listed essential system\nservices or ports in its system security plan or (2) disabled, prohibited, or restricted the use of\nunauthorized USB device access. QSSI had not implemented USB security controls because\nmanagement had not updated its USB control policies and procedures. As a result of QSSI\xe2\x80\x99s\ninsufficient controls over USB ports and devices, the PII of over 6 million Medicare\nbeneficiaries was at greater risk from malware, inappropriate access, or theft.\n\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)                     i\n\x0cWHAT WE RECOMMEND\n\nWe recommend that QSSI update and implement sufficient policies and procedures to ensure\nthat USB controls comply with Federal requirements, including CMS Information Security\nAcceptable Risk Safeguards. Specifically, QSSI should:\n\n    \xe2\x80\xa2   list essential system services and ports in its system security plan;\n\n    \xe2\x80\xa2   update its policies and procedures to prohibit the use of unauthorized USB devices on its\n        systems that store or process Medicare information;\n\n    \xe2\x80\xa2   limit USB port access to essential connections; and\n\n    \xe2\x80\xa2   disable, prohibit, or restrict unauthorized USB device access.\n\nQUALITY SOFTWARE SERVICES, INC., COMMENTS AND OUR RESPONSE\n\nIn its response to our draft report, QSSI described the corrective actions it had taken and planned\nto take to address three of our four recommendations.\n\nSpecifically, QSSI:\n\n    \xe2\x80\xa2   revised the corporate Network Access Control policy to establish usage restrictions and\n        implementation guidance for mobile devices,\n\n    \xe2\x80\xa2   plans to implement \xe2\x80\x9cRead only\xe2\x80\x9d restrictions for USB ports in all laptops and to disable\n        the capability for automatic execution of code without user direction, and\n\n    \xe2\x80\xa2   plans to require the scanning of all portable and mobile devices to detect malicious code.\n\nHowever, QSSI did not address our first recommendation regarding its system security plan. We\nreiterate that QSSI should update its system security plan to include lists of essential system\nservices and ports.\n\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)                 ii\n\x0c                                                    TABLE OF CONTENTS\n\n                                                                                                                          Page\nINTRODUCTION...................................................................................................................1\n\n           Why We Did This Review ..........................................................................................1\n\n           Objective ......................................................................................................................1\n\n           Background .................................................................................................................1\n                 Federal Government Information Security Controls\n                  and Requirements...........................................................................................1\n                 Universal Serial Bus Devices............................................................................1\n                 Quality Software Services, Incorporated ..........................................................2\n\n           How We Conducted This Review ..............................................................................2\n\nFINDING .................................................................................................................................3\n\n           Universal Serial Bus Device Security Controls Not Sufficiently\n             Implemented ...........................................................................................................3\n\nRECOMMENDATIONS........................................................................................................4\n\nQUALITY SOFTWARE SERVICES, INC., COMMENTS AND\n OFFICE OF INSPECTOR GENERAL RESPONSE .....................................................4\n\nAPPENDIXES\n\n           A: Audit Scope and Methodology............................................................................. 6\n\n           B: Risk Scale and Necessary Actions ....................................................................... 7\n\n           C: Federal Requirements for Universal Serial Bus Controls ................................ 8\n\n           D: Quality Software Services, Inc., Comments ....................................................... 10\n\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)                                                              iii\n\x0c                                           INTRODUCTION\n\nWHY WE DID THIS REVIEW\n\nUniversal Serial Bus devices (USB devices) have become common in the workplace. Many\nindividuals have several USB devices, such as jump drives and smart phones, for use with both\ntheir personal and professional computers. Because USB devices connect directly into\ncomputers and can store large amounts of data, they can potentially cause serious harm to\ncomputers and networks or compromise sensitive data if their use is not properly controlled. In\nan attempt to limit the risk to personally identifiable information (PII) for Medicare beneficiaries,\nwe assessed the USB device controls at Quality Software Services, Inc. (QSSI), the contractor\nresponsible for testing changes to the Centers for Medicare & Medicaid Services (CMS)\nMedicare systems and the effect of those changes on beneficiary data.\n\nOBJECTIVE\n\nThe objective of our audit was to determine whether QSSI had sufficiently implemented Federal\nrequirements for information system security controls over USB ports and devices.\n\nBACKGROUND\n\nFederal Government Information Security Controls and Requirements\n\nThe Federal Information Security Management Act of 2002 (FISMA) and the Office of\nManagement and Budget (OMB) required Federal agencies to comply with the National Institute\nof Standards and Technology (NIST) standards and guidelines to improve the efficiency and\nsecurity for Federal information systems. In response to FISMA, NIST published the Federal\nInformation Processing Standard 200 (FIPS 200), which designates NIST Special Publication\n(SP) 800-53, Recommended Security Controls for Federal Information Systems and\nOrganizations, as amended, to meet FISMA requirements.\n\nTo comply with FISMA, CMS incorporated NIST SP 800-53 into its CMS Information Security\nAcceptable Risk Safeguards (Risk Safeguards). CMS requires that all of its FISMA-governed\nsystems, including those managed by its contractors, follow these Risk Safeguards.\n\nUniversal Serial Bus Devices\n\nUSB devices include portable data storage devices, commonly known as jump, flash, or thumb\ndrives, and other devices that can store data and connect to systems through USB ports (e.g.,\nexternal hard drives, iPods, and smart phones). Despite being small and highly portable, USB\ndevices can store and transport large amounts of data, thus creating a vulnerability to computer\nsystems and sensitive data, including proprietary information and PII.\n\nAn example of how USB devices can infect computer networks with malicious software\n(malware) occurred in 2008 when an individual inserted an infected USB device into a military\ncomputer. The USB device transmitted malware into the computer, and the malware spread\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)                  1\n\x0cundetected to other government computer networks. Deputy Defense Secretary William Lynn\ndescribed that incident as the \xe2\x80\x9cmost significant breach of U.S. military computers ever.\xe2\x80\x9d Since\nthen, other publicized incidents of USB device malware transmission included the 2010\n\xe2\x80\x9cStuxnet\xe2\x80\x9d infection of Iran\xe2\x80\x99s nuclear facilities and the \xe2\x80\x9cGauss\xe2\x80\x9d malware, which was used to steal\ninformation from the banking industry.\n\nAn example of how USB devices can contribute to the loss of PII occurred in 2011 when a\nUniversity of Texas trainee lost an unencrypted USB device on the employee shuttle bus. The\nunencrypted USB device potentially exposed medical records containing the PII of 2,200\npatients. In another recent incident in July 2012, a home burglar in Oregon stole a hospital\nemployee\xe2\x80\x99s thumb drive containing data on over 14,000 patients. In many of these cases, it is\ndifficult to determine whether or when anyone will use the breached data in a crime.\n\nQuality Software Services, Incorporated\n\nQSSI is a testing contractor for CMS that provides independent testing services 1 for changes to\nMedicare Part A and B \xe2\x80\x9cFee-for-Service\xe2\x80\x9d 2 standard systems. Its test systems maintain data on\nover 6 million Medicare beneficiaries for testing purposes. 3 QSSI provides related hardware,\nsoftware, and connectivity required to host and test software changes to the CMS Common\nWorking File, Multi-Carrier System, Fiscal Intermediary Standard System, the Healthcare\nIntegrated General Ledger Accounting System, and the ViPS Medicare System. 4\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe limited our review to the controls and workstation configurations QSSI established over\nUSB ports and devices. We assessed how QSSI set up its USB ports for 30 judgmentally\nselected workstations at QSSI\xe2\x80\x99s office in Columbia, South Carolina. In addition, we reviewed\nQSSI\xe2\x80\x99s policies for users to follow.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n\n\n\n1\n QSSI performs systems, functional, integration, volume regression, and production-ready testing on changes to\nMedicare standard systems for CMS.\n\n2\n    Fee-for-Service is a separate payment to a health-care provider for each medical service rendered to a patient.\n3\n  QSSI\xe2\x80\x99s test environment contains all the information necessary to process a Medicare transaction. As of October\n9, 2012, this information included 6,667,459 unique Medicare beneficiary records.\n4\n    Viable Information Processing System Medicare System.\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)                                     2\n\x0cAppendix A contains the details of our audit scope and methodology. Appendix B contains a\ndescription of risk levels and the resulting necessary actions.\n\n                                                FINDING\n\nQSSI had not sufficiently implemented Federal requirements for information system security\ncontrols over USB ports and devices. Specifically, QSSI had not:\n\n    \xe2\x80\xa2   listed essential system services or ports in its system security plan; or\n\n    \xe2\x80\xa2   disabled, prohibited, or restricted the use of unauthorized USB device access.\n\nQSSI had not implemented USB security controls because its management had not updated its\nUSB control policies and procedures. As a result of QSSI\xe2\x80\x99s insufficient controls over USB ports\nand devices, the PII of over 6 million Medicare beneficiaries was at greater risk from malware,\ninappropriate access, or theft.\n\nUNIVERSAL SERIAL BUS DEVICE SECURITY CONTROLS NOT SUFFICIENTLY\nIMPLEMENTED\n\nCMS\xe2\x80\x99s Risk Safeguards require that business owners, including contractors, include essential\nUSB ports in their system security plans and set up their workstations to restrict the use of\nunnecessary USB ports. The Risk Safeguards further require that business owners prohibit the\nuse of unauthorized USB devices in CMS information systems. (For details on the Federal\nrequirements related to controls over USB ports and devices, see Appendix C.)\n\nAlthough QSSI advised its users against using personal devices on work computers and warned\nthem not to connect USB devices from unknown sources into work computers as part of its\nSecurity Awareness training, QSSI had not sufficiently implemented Federal requirements for\ninformation system security controls over USB ports and devices. Specifically, QSSI had not:\n\n    \xe2\x80\xa2   listed essential system services or ports in its system security plan; or\n\n    \xe2\x80\xa2   disabled, prohibited, or restricted the use of unauthorized USB device access.\n\nQSSI had not implemented USB security controls because its management had not updated its\nUSB control policies and procedures. QSSI officials maintained that the security guidelines\ncovered during Security Awareness training were not part of QSSI\xe2\x80\x99s policies and that QSSI had\nnot required employees to follow those guidelines.\n\nWe assigned a risk ranking of \xe2\x80\x9chigh\xe2\x80\x9d to this finding based on the criteria listed in the NIST SP\n800-30. (For details on risk ranking criteria, see Appendix B.) Because of insufficient controls\nprohibiting the use of unauthorized USB device access, QSSI employees had connected a wide\nvariety of personal USB devices to the 30 tested workstations. For example, someone had\nconnected 28 different USB mass storage devices to one workstation, but QSSI was not able to\ndetermine whether the 28 devices were authorized. Twenty-nine of the thirty workstations\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)                  3\n\x0cshowed evidence that additional devices had been connected to USB ports, including\ncamcorders, tablets, iPods, eBooks, navigation devices, and smart phones. The uncontrolled\nUSB port access increased the possibility that anyone with physical access to a USB port could\nhave introduced malware to CMS test systems or inappropriately accessed Medicare beneficiary\nPII, thus putting the PII of over 6 million Medicare beneficiaries at greater risk from malware,\ninappropriate access, or theft.\n\n                                       RECOMMENDATIONS\n\nWe recommend that QSSI update and implement sufficient policies and procedures to ensure\nthat USB controls comply with Federal requirements, including CMS\xe2\x80\x99s Risk Safeguards.\nSpecifically, QSSI should:\n\n    \xe2\x80\xa2   list essential system services and ports in its system security plan;\n\n    \xe2\x80\xa2   update its policies and procedures to prohibit the use of unauthorized USB devices on its\n        systems that store or process Medicare information;\n\n    \xe2\x80\xa2   limit USB port access to essential connections; and\n\n    \xe2\x80\xa2   disable, prohibit, or restrict unauthorized USB device access.\n\n        QUALITY SOFTWARE SERVICES, INC., COMMENTS AND OFFICE OF\n                     INSPECTOR GENERAL RESPONSE\n\nIn its response to our draft report, QSSI described the corrective actions it had taken and planned\nto take to address three of our four recommendations.\n\nSpecifically, QSSI:\n\n    \xe2\x80\xa2   revised the corporate Network Access Control policy to establish usage restrictions and\n        implementation guidance for mobile devices,\n\n    \xe2\x80\xa2   plans to implement \xe2\x80\x9cRead only\xe2\x80\x9d restrictions for USB ports in all laptops and to disable\n        the capability to automatically run applications without user direction, and\n\n    \xe2\x80\xa2   plans to require the scanning of all portable and mobile devices to detect malicious code.\n\nHowever, QSSI did not address our first recommendation regarding its system security plan. We\nreiterate that, to comply with Federal regulations, QSSI should update its system security plan to\ninclude lists of essential system services and ports.\n\nWe included QSSI\xe2\x80\x99s comments in their entirety as Appendix D. However, we redacted the\nnames in the \xe2\x80\x9cTo\xe2\x80\x9d field of the email QSSI used for communicating its comments to our report\nbecause it contained the names of auditors and program officials not employed by QSSI. We\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)                   4\n\x0calso redacted the name of the software QSSI stated it plans to use on its portable and mobile\ndevices to detect malicious code and computer viruses.\n\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)               5\n\x0c                    APPENDIX A: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe limited our review to the controls over QSSI\xe2\x80\x99s USB ports and devices and did not evaluate\nits internal controls as a whole.\n\nSpecifically, we determined whether QSSI had policies governing USB device usage on QSSI\nsystems and what logical controls QSSI had over USB port functionality on individual\nworkstations. We also evaluated the number and type of USB devices connected to QSSI\nworkstations at one QSSI office.\n\nWe performed our fieldwork at QSSI\xe2\x80\x99s facility located in Columbia, South Carolina, during May\n2012.\n\nMETHODOLOGY\n\nTo accomplish our objective, we:\n\n    \xe2\x80\xa2   reviewed applicable Federal laws, regulations, and guidance;\n\n    \xe2\x80\xa2   assessed QSSI policies for control over USB devices;\n\n    \xe2\x80\xa2   interviewed QSSI staff about USB device controls and information system\n        configurations; and\n\n    \xe2\x80\xa2   judgmentally selected 30 workstations with access to the QSSI network to assess their\n        USB port configurations and determine all previous USB devices connected to those\n        workstations.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective.\n\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)               6\n\x0c                 APPENDIX B: RISK SCALE AND NECESSARY ACTIONS\n\nRISK RANKING CRITERIA\n\nWe have assigned risk ranking to our finding based on the criteria listed in the NIST SP 800-30,\ndated July 2002, Table 3-7, entitled Risk Scale and Necessary Actions (below). To assign the\nrisk ranking, we considered the Likelihood Level (Table 3-4) and Magnitude of Impact (Table 3-\n5), both also in SP 800-30. We limited our assessment of Magnitude of Impact to the risks\nassociated with QSSI\xe2\x80\x99s Medicare testing program and, specifically, with the confidentiality of\nMedicare beneficiary data. The risk scale shown below represents the degree or level of risk to\nwhich an IT system can be exposed if a vulnerability is exploited.\n\n                            Table 3-7. Risk Scale and Necessary Actions\n\n Risk Level          Risk Description and Necessary Actions\n\n High                If an observation or finding is evaluated as a high risk, there is a strong need\n                     for corrective measures. An existing system may continue to operate, but a\n                     corrective action plan must be put in place as soon as possible.\n\n Medium              If an observation is rated as medium risk, corrective actions are needed and\n                     a plan must be developed to incorporate these actions within a reasonable\n                     period of time.\n\n Low                 If an observation is described as low risk, the system\xe2\x80\x99s Designated\n                     Approving Authority must determine whether corrective actions are still\n                     required or decide to accept the risk.\n\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)                       7\n\x0c     APPENDIX C: FEDERAL REQUIREMENTS FOR UNIVERSAL SERIAL BUS\n                             CONTROLS\n\nFISMA and OMB required Federal agencies to comply with NIST standards and guidelines to\nimprove the efficiency and security for Federal information systems. In response to FISMA,\nNIST published FIPS 200, which designates NIST SP 800-53, Recommended Security Controls\nfor Federal Information Systems and Organizations, as amended, to meet FISMA requirements.\n\nTo comply with FISMA, CMS incorporated NIST SP 800-53 into its Risk Safeguards.\n\nThe CMS Risk Safeguards (Rev.1, 05-24-11) Scope states:\n\n        All CMS employees, contractors, sub-contractors, and their respective facilities\n        supporting CMS business missions and performing work on behalf of CMS shall\n        observe the baseline policy statements described in the \xe2\x80\xa6 [Policy for the\n        Information Security Program] and the complementary controls defined in the \xe2\x80\xa6\n        [Risk Safeguards] as the minimum security requirements for all CMS information\n        and information systems.\n\nCMS Risk Safeguards, Rev.1, 05-24-11, Appendix B: CMS Minimum Security Requirements for\nModerate Impact Level Data, Section 5.0, Configuration Management (CM) \xe2\x80\x93\nOperational - CM-7 \xe2\x80\x93 Least Functionality (Moderate) Control states:\n\n        The organization configures the information system to provide only essential\n        capabilities and specifically disables, prohibits, or restricts the use of system\n        services, ports, network protocols, and capabilities that are not explicitly required\n        for system or application functionality. A list of specifically needed system\n        services, ports, and network protocols will be maintained and documented in the\n        \xe2\x80\xa6 [system security plan]; all others will be disabled.\n\nCMS Risk Safeguards, Rev.1, 05-24-11, Appendix B: CMS Minimum Security Requirements for\nModerate Impact Level Data, Section 1.0, Access Control (AC) \xe2\x80\x93 Technical - AC-19 \xe2\x80\x93 Access\nControl for Mobile Devices (Moderate) Controls states:\n\n        The organization prohibits the connection of portable and mobile devices (e.g.,\n        notebook computers, personal digital assistants, cellular telephones, and other\n        computing and communications devices with network connectivity and the\n        capability of periodically operating in different physical locations) to CMS\n        information systems unless explicitly authorized, in writing, by the CIO or his/her\n        designated representative.\n\n        AC-19 (1) \xe2\x80\x93 Enhancement (Moderate)\n\n        The organization restricts the use of writable, removable media in CMS\n        information systems.\n\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)               8\n\x0c        AC-19 (2) \xe2\x80\x93 Enhancement (Moderate)\n\n        The organization prohibits the use of personally owned, removable media in CMS\n        information systems.\n\n        AC-19 (3) \xe2\x80\x93 Enhancement (Moderate)\n\n        The organization prohibits the use of removable media in CMS information\n        systems when the media has no identifiable owner.\n\n\n\n\nQuality Software Services, Inc., Had Not Implemented USB Controls (A-04-12-05045)        9\n\x0cAppendix D: QUALITY SOFTWARE SERVICES, INCORPORATED COMMENTS\n\n\n\n  From:\n\n\n  I\n  Subject:         RE : A-04- 12-05045 written comments not received\n  Date:            Friday, January 11, 2013 1:43 :45 PM\n\n\n\n\n  Beverly, \n\n\n  Thank you for the follow-up. Please see below ou r comment to the finding: \n\n\n  QSSI has revised the corporate Network Access Control policy to establish usage restrictions and\n  implementation guidance for mobile devices. Accordingly, QSSI plans to implement a group policy that\n  enforces "Read\' on ly access right for USB ports in al l STC laptops and disables the capability for\n  automatic execution of code without user direction; all portable and mobile devices must be scanned\n  using                     software to detect mali\xc2\xb7cious code and computer virus.\n\n  Please let me know shou ld you have any questions.\n\n  Thank you!\n\n  Anh Tran\n\x0c'